Typical applications requiring authentication rely on usernames and passwords. This basic authentication technique is used in many types of environments, from social media services, to business applications, to Internet-of-Things (IoT) software. Through a username and password, a minimal level of confirmation may be obtained that an identity seeking access to an application is who they purport to be.
But usernames and passwords have significant security limitations. If such credentials are obtained by an unauthorized person (e.g., through credential theft, guessing, keystroke logging, or other techniques) they cease to provide any security. To the contrary, the unauthorized person can impersonate the rightful user and perform all actions that the rightful user is able to perform. Further, organizations often impose requirements on passwords (e.g., length requirements, complexity requirements, expiration requirements, etc.) that cause users to forget their passwords. This in turn causes burdens for both the users and the organizations who must address requests to reveal or reset passwords.
Two-factor authentication can offer enhanced security over traditional username-and-password security. By requiring, for example, a password and a biometric verification, some added security may be achieved. Similarly, requiring a user to present a password and a value from a portable fob (e.g., RSA SecurID™, etc.) can add protection over basic username-and-password security. Nevertheless, two-factor authentication also has drawbacks. For example, techniques such as these are unable to concurrently authenticate an identity and the identity's physical presence proximate to an endpoint resource they are attempting to access. In addition, many two-factor authentication techniques are cumbersome or inefficient, which can lead some users to implement workarounds or other insecure approaches to dealing with secure resources. Further, these techniques are unable to dynamically couple an identity to a secure session, such as by provisioning relevant authentication or authorization credentials, or by obtaining an identity from an identity provider.
Accordingly, in view of these and other deficiencies in existing techniques for authentication and secure access to resources, technological solutions are needed for efficiently providing authentication of identities. Solutions ideally should allow for a two-mode authentication, where both the identity itself and its physical proximity to an endpoint it is seeking to access are verified. Further, solutions should automatically provision authenticated identities with appropriate levels of secure access to the endpoint (e.g., partially privileged access or non-privileged access).